Research

Apple just released an update to Leopard, version 10.5.1. The support document says the following: Addresses a code signing issue; third-party applications can now run when included in the Application Firewall or when whitelisted in Parental Controls. In Security preferences’ Firewall tab, the “Block All” option is now called “Allow Only essential services” Well, I suppose that’s some kind of progress. At least it’s labelled accurately. I’ve been really slammed this week, but Chris and I should have the instructions for using WaterRoof in combination with our template ipfw rule set and the Application Firewall soon (hopefully today). I’ve tested the update and the application firewall still signs applications, but instead of just failing to launch modified applications, we’re now prompted to allow access manually again if they change. Code signing can be rough because of issues like this, and I think the prompt is a reasonable solution. However, I would prefer it to say, “This application has been modified since its last use; please click to allow network access” so we know that it’s a real change to the application and not just a random prompt to approve again. In a separate document, Apple details some additional security updates to the application firewall. Most notably, the firewall will now block processes running as root if you specify them in the application firewall. Based on these updates I’m now running the application firewall with ipfw, and will try and get those instructions posted soon. Not that any of this matters much since there are no network attacks on Macs in the wild right now, but we all know that can’t last… Share:

While I was off traveling, Martin posted the latest episode of the Network Security Podcast. Rather than posting the show notes here, I’d like to redirect you to our new site: NetSecPodcast.com. This is where we’ll be posting all the show notes, taking feedback on episodes, and posting any content and updates directly related to the show. This week we covered a few quick issues, then we spent 10 minutes playing Mystery Science Theater on Martin’s very first episode. Oh, I didn’t mention this is the 2 year anniversary of the show? Congrats Martin, and thanks for bringing me on- hopefully I’m not dragging the show down too fast… Share:

I’ve been invited to give the keynotes at both the SANS Data Leakage Summit and the Mobile Encryption Summit. Both are at the Dolphin hotel at Disney in Orlando. The DLP event is on December 3rd and 4th, and the encryption event on the 5th and 6th. Here’s my affiliate link to SANS if you’re interested in the events. At the DLP event I’ll be presenting Three Steps To Selecting A DLP Product And The Top Five Features To Look For. I’ll also be releasing Understanding And Selecting A Data Loss Prevention Solution as a white paper, which will also be distributed online by SANS and sponsored by Websense. Over at the encryption event I’m presenting Understanding and Preventing Data Breaches. It’s a general presentation, not specific to just encryption. These conferences are designed for those in the planning or implementation phases for DLP or mobile encryption. There are a couple of presentations like mine, but most of the event is panels with users with real experience using the products. As a preview, here’s a QuickTime movie of the DLP pitch’s opening. I hope to see you there… Share:

Rules revised. As suggested by windexh8er, here’s a set of ipfw rules to customize for your own Macs or FreeBSD systems. Note that your private home network should have a non-standard IP range, both to support VPN across standard IP ranges, and for improved security, so your personal allow rules don’t match other networks you may find yourself wandering through. The rules are below, but you’ll probably have an easier time if you download the rule file from http://securosis.com/wp-content/uploads/2007/11/ipfw-securosis.txt. In WaterRoof, you can import these rules with “Tools > Rules Configuration > Import rules from file..”. To check your ipfw rules, use “sudo ipfw list”. When you’re satisfied with your rules, install them for future reboots with “Tools > Rules Configuration > Save to startup configuration” and “Tools > Startup Script > Install Startup Script”. # DO NOT USE THESE RULES without customizing them first! # Version: 2007/11/15 # For more information, see http://securosis.com/2007/11/15/ipfw-rules/ # These rules *MUST* be customized to your requirements. # In particular, if you have a private home network (behind an AirPort # Base Station, Linksys WRT54G, etc.), change “10.42.24.0/24” below to # your private network range. # Additionally, allow only ports you actually use; other ports should be # blocked by the ipfw firewall. # Thanks to: # Rich Mogull http://securosis.com # windexh8er: http://www.slash32.com/ # Lee: http://thnetos.wordpress.com/ # Chris Pepper http://www.extrapepperoni.com/ # Apple (Server Admin is a good way to create an ipfw ruleset) # http://www.apple.com/server/macosx/ # FreeBSD (where Apple got ipfw) http://www.freebsd.org/ # We don’t really want this, but it’s unavoidable on Mac OS X Server, so # document it here (serialnumberd) # 100 allow udp from any 626 to any dst-port 626 # Let me talk to myself over the loopback add 200 allow ip from any to any via lo0 # Loopback addresses on non-loopback interfaces are bogus add 300 deny log logamount 1000 ip from any to 127.0.0.0/8 add 310 deny log logamount 1000 ip from 224.0.0.0/4 to any in # Block multicast if you don’t use it # add 400 deny log ip from 224.0.0.0/4 to any in # Accept responses to my client programs add 500 check-state # If we let the conversation begin, let it continue add 600 allow tcp from any to any established # Let my programs get out. add 700 allow tcp from any to any out keep-state add 710 allow udp from any to any out keep-state # Change this to DENY fragments if you don’t need them. add 800 allow udp from any to any in frag # Block bogus inbounds that claim they were established # add 900 deny log tcp from any to any established in # add 1000 allow icmp from 10.9.7.0/24 to any icmptypes 8 # Server Admin provides these by default add 1100 allow icmp from any to any icmptypes 0 add 1110 allow igmp from any to any # mDNS (Bonjour) from trusted local networks (fill in your own, # preferably non-standard, networks after ‘from’) # For Back to My Mac, you might need this from ‘any’ # add 5000 allow udp from 10.42.24.0/24 to any dst-port 5353 # add 5010 allow udp from 10.42.24.0/24 5353 to any dst-port 1024-65535 in # DNS (note TCP is required, but this one should scare you — much # better to only allow packets from your trusted nameservers, if you # always use the same ones) add 5100 allow tcp from any to any dst-port 53 add 5110 allow udp from any to any dst-port 53 add 5120 allow tcp from any to any dst-port 53 out keep-state add 5130 allow udp from any to any dst-port 53 out keep-state # ssh add 5200 allow tcp from any to any dst-port 22 # iTunes music sharing #add 5300 allow tcp from 10.42.24.0/24 to any dst-port 3689 # AFP #add 5400 allow tcp from 10.42.24.0/24 to any dst-port 548 # HTTP (Apache); HTTPS # add 5500 allow tcp from any to any dst-port 80 # add 5510 allow tcp from any to any dst-port 443 # L2TP VPN # add 5600 allow udp from any to any dst-port 1701 # add 5610 allow esp from any to any # add 5620 allow udp from any to any dst-port 500 # add 5630 allow udp from any to any dst-port 4500 # iChat: local #add 5700 allow tcp from 10.42.24.0/24 to any dst-port 5298 #add 5710 allow udp from 10.42.24.0/24 to any dst-port 5298 #add 5720 allow udp from 10.42.24.0/24 to any dst-port 5297,5678 # Server Admin SSL (Mac OS X Server only) # add 5800 allow tcp from 10.42.24.0/24 to any dst-port 311 # add 5810 allow tcp from 10.42.24.0/24 to any dst-port 427 # add 5820 allow udp from 10.42.24.0/24 to any dst-port 427 # syslog # add 5900 allow udp from 10.42.24.0/24 to any dst-port 514 # ipp (CUPS printing) # add 6000 allow tcp from 10.42.24.0/24 to any dst-port 631 # MTU discovery add 10000 allow icmp from any to any icmptypes 3 # Source quench add 10100 allow icmp from any to any icmptypes 4 # Ping out; accept ping answers add 10200 allow icmp from any to any icmptypes 8 out add 10210 allow icmp from any to any icmptypes 0 in # Allow me to traceroute add 10300 allow icmp from any to any icmptypes 11 in # My default policy: log and drop anything that hasn’t matched an allow # rule above add 65534 deny log logamount 1000 ip from any to any # Hard-coded default allow rule (compiled into Darwin kernel) add 65535 allow ip from any to any Share:

I was quite bemused today to read this article in NetworkWorld that Google’s Postini is jumping into DLP. Google”s Postini division today announced that its e-mail-content-filtering service has been enhanced to detect “logical expressions,” such as credit-card data and Social Security numbers. … Adam Swidler, Postini senior product manager, says the e-mail security service includes filtering of more “sophisticated expressions” that extend beyond Postini”s earlier limits to keywords. “This is for compliance and content-policy management, with content-based inspection for inbound and outbound traffic,” he says. “Today it’s for companies using Gmail, but we expect to extend this to instant messaging, the Web and the rest of Google Apps, like Google Spreadsheets.” I don’t see why they can’t just call it regular expressions like everyone else. This is a great example of a vendor hopping on the bandwagon by adding a small part of DLP functionality to a product line. Knowing the problems even established, dedicated DLP vendors have with false positives I suspect this will be a bit more challenging than Google/Postini realizes. Not that a basic DLP feature or two don’t have value in lower-risk environments; something as basic as this might work for some of you out there, as long as you manage your expectations. If anything, I think this, combined with the Vontu acquisition, might finally nudge DLP to the peak of the Hype Cycle. Share:

I’ll be on the “Threats Jeopardy” panel at 11:15 over in Yerba Buena Theater. Meetings are booked up for the day, but I’ll be back in the area on the 29th. Share:

Amrit Williams dropped a post on some of the new cases, and new penalties, for certain kinds of cybercrime. In it he states: The risk/reward for committing cybercrime is shifting, which will not result in less cybercrime only more sophisticated criminal activity. So more evidence that hostile actors will become more organized, more sophisticated, and much harder to detect with traditional security measures. I tend to agree slightly- as you raise the stakes the potential reward needs to increase at least proportionally to the risk, but Amrit’s missing the main point. Mike Rothman gets us closer: … but I’m not sure they are going to behave differently whether they are subject to 10 years or 3 years in the pokey. Whether the fine is $250,000 or $10 million. I don’t know much, but I suspect that most bad guys don’t want to get caught. … The folks know what’s at stake, but they don’t think they’ll be caught. And there’s the rub. The biggest penalties in the world are totally ineffective as a deterrent if they aren’t enforced. From compliance, like PCI, HIPAA, and SOX, to cybercrime, a law isn’t a law until someone goes to jail for it. Rothman nails it- right now the bad guys act with near impunity because they know the odds of getting caught are low. If all we do is improve enforcement of existing laws, and learn how to better enforce cybercrime laws across international boundaries (that’s a biggie) we’ll do FAR more to reduce cybercrime than increasing the penalties. Share:

This isn’t a shopping holiday. It’s time to give thanks to those who defend us all, regardless of your feelings towards any officials (elected or otherwise). I read recently that 1 in 4 homeless are veterans, yet vets are only 11% of the population (sorry, no link). That’s a travesty, and instead of looking for a sale, consider donating to a vet-friendly charity. I’ll be donating to the Fisher House today. Share:

I woke up in a pretty good mood this morning. First of all, it’s Friday and I can just feel the weekend oozing around the corners of the neighborhood. Sure, every day is either a Friday or a Monday when you’re self employed, but there’s still something special about the official weekend. I also woke up a little more alert than usual lately, and even decided to skip my morning routine of getting totally ready before slipping downstairs for some morning coffee and news (via RSS, of course). That’s when my day took a sad turn. As soon as I dug into my news feeds I saw that my friend Amrit’s blog had been pwned by some attacker looking to damage his reputation. That’s the only thing that can explain this post on how DLP is just a feature of either network security or endpoint security. Either that, or Amrit was intentionally goading me, something all of us security bloggers are a little prone to doing. I’ll just point out a few internal inconsistencies with the hax0r-pretending-to-be-Amrit’s position. However I need to call out several things that are being missed in all the DLP analysis. First DLP is a future feature of either network or host-based security, just as all other security technologies whether they be AV, IDS/IPS, firewall, etc are segmented by network and host so shall DLP follow. The never ending explosion of crap and bloatware that must be deployed at the network and host is becoming increasingly difficult to manage. So why would an organization want a separate infrastructure, team, and set of processes to deal with data security differently than information security? Um, last time I checked data security was part of information security. But this is a great example of what Hoff and I have been ranting on about the loss of the term information security, which in some circles only represents AV and firewalls. If that’s your definition of information security, Amrit is correct. Also, we see more divisions than just host and network in real-world operational environments. Is application security a network or host issue? Incident response? SIEM? NAC? Even web filtering today has both host and network components. Those lines were drawn when it made sense to draw those lines; now we’re drawing new ones. We need a different infrastructure, team, and set of processes because you can’t solve the problem with network-only or host-only infrastructure, teams, and processes. We’re solving a business problem (”protect my data”), not just thinking of this as a collection of tools. Second thing to note is that organizations segment administration responsibility between the network and desktop and servers, that is network security technologies are generally purchased, deployed, and administered by a different group (usually network operations) than the group that is responsible for desktop security (usually desktop operations/support). It is common for an organization to deploy one AV vendor at the email gateways and a separate vendor at the desktop, just like it is common to deploy different firewalls at the network vs. the host, same with anti-spam, Intrusion detection/prevention and pretty much anything else that can run on the network or the host – so why would it be any different for DLP? It won’t be- as I’ve discussed before, DLP will be all over the place and will integrate with these existing investments, while being managed someplace else. Why the heck should the guy managing AV be dealing with highly sensitive policy violations around the use of intellectual property? Besides, the different gateway vs. desktop AV argument is spurious- most organizations do that for defense in depth. The management of deploying and integrating DLP will be the responsibility of the network and host teams Amrit is so enamored with. The management of DLP policies and violations will be a separate group (in a big enough organization) with a data/content/compliance focus. There are two kinds of administrative responsibilities- the one to solve the problem, and the one to keep the stuff running. The latter is a throwaway, and can be implemented by whoever is “in charge” of the platform where the sensor is being deployed. So if one believes, as I do, that DLP will converge with adjacent security and eventually systems management functions and one believes, as I do, that there is a pretty clear separation of duties between the network and host operations folks in an organization then one would have to question analysis that called for a converged network/host solution. Or, if you believe as I do that we’re here to solve business problems and not just support organizational momentum of the past, the only way to solve DLP is through a hybrid solution. It makes absolutely no sense to have to build different data protection policies for the network, host, and storage; rather, we’ll build one policy based on the content and distribute that to all the necessary enforcement points. That’s where DLP is headed. We’ll let BigFix distribute the agents and keep them running, just as we let the mail and web gateways keep their DLP engines running. Don’t worry Amrit, you guys will continue to see your success as an endpoint management tool. But you’ll be distributing agents for something that connects back to a DLP tool that also talks to network gateways, storage, and a bunch of other stuff. That is not to say that there shouldn”t be an ideal of integration, but an ideal is a far cry from reality and the reality is that network focused tool vendors are terrible, absolutely abysmal at providing central management of desktop technologies (can anyone say Cisco CSA?) so why would an organization deploy an agent from a network focused company? And for that matter why would an organization deploy a network device from a desktop focused vendor – they wouldn”t, unless the vendor had mastered both, and there were no organizational politics between the network and desktop teams, and there was good collaboration between the security and operations teams,

Sorry it took me so long, but the cert is updated for the next 3 years and set to the correct domain name. Share: